An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#10324 - 06/01/10 02:43 PM Permissions issue with Java
jchuzi Online


Registered: 08/04/09
Loc: New York State
After installing Java for Mac OSX 10.6 Update 2 (version 1.0), I get the following now matter how many times I repair permissions:

Repairing permissions for “SnowLeopard HD”

Permissions differ on "System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/Deploy.bundle/Contents/Resources/
JavaPluginCocoa.bundle/Contents/Resources/Java/deploy.jar", should be lrwxr-xr-x , they are lrw-r--r-- .
Repaired "System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/Deploy.bundle/Contents/Resources/
JavaPluginCocoa.bundle/Contents/Resources/Java/deploy.jar".
Permissions differ on "System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Resources/JavaPluginCocoa.bundle/
Contents/Resources/Java/deploy.jar", should be -rw-r--r-- , they are lrwxr-xr-x .
Repaired "System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Resources/JavaPluginCocoa.bundle/
Contents/Resources/Java/deploy.jar".
Permissions differ on "System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Resources/JavaPluginCocoa.bundle/
Contents/Resources/Java/libdeploy.jnilib", should be -rwxr-xr-x , they are lrwxr-xr-x .
Repaired "System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Resources/JavaPluginCocoa.bundle/
Contents/Resources/Java/libdeploy.jnilib".

Permissions repair complete

In the past, this sort of thing has happened with SUID and ACL. Do these "repairs" mean anything or can they be ignored?


Edited by dkmarsh (06/01/10 03:45 PM)
Edit Reason: inserted hard returns to avoid stretched browser window
_________________________
Jon

OS 10.14.5, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#10326 - 06/01/10 03:52 PM Re: Permissions issue with Java [Re: jchuzi]
dkmarsh Offline

Moderator

Registered: 08/04/09

Quote:
...or can they be ignored?

I suspect you already know the answer wink , but just to refresh your memory, here's the short answer. And here's the long answer.

Perhaps Mr. Itosis will further elucidate! shocked
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#10327 - 06/01/10 04:14 PM Re: Permissions issue with Java [Re: dkmarsh]
jchuzi Online


Registered: 08/04/09
Loc: New York State
That's what I figured. I breathlessly await Dr. Itosis's diagnosis.
_________________________
Jon

OS 10.14.5, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#10330 - 06/01/10 08:11 PM Re: Permissions issue with Java [Re: jchuzi]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Okay, you managed to get me to do my first DURP on the new MBP since installing updates. (i ran it once out of the box to prove to myself it reported zippo).

Yes... i get the same Java dudes (plus some suid party crashers... courtesy of a MBP update, as we'll prove later):

time diskutil verifyPermissions /
Code:
Started verify/repair permissions on disk0s2 MacHD
Permissions differ on "System/Library/Frameworks/JavaVM.framework/Versions/A/Resources/Deploy.bundle/Contents/Resources/JavaPluginCocoa.bundle/Contents/Resources/Java/deploy.jar", should be lrwxr-xr-x , they are lrw-r--r-- 
Permissions differ on "System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Resources/JavaPluginCocoa.bundle/Contents/Resources/Java/deploy.jar", should be -rw-r--r-- , they are lrw-r--r-- 
Permissions differ on "System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Resources/JavaPluginCocoa.bundle/Contents/Resources/Java/libdeploy.jnilib", should be -rwxr-xr-x , they are lrwxr-xr-x 
Warning: SUID file "Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy" has been modified and will not be repaired
Warning: SUID file "usr/libexec/authopen" has been modified and will not be repaired
Warning: SUID file "usr/libexec/security_authtrampoline" has been modified and will not be repaired

Finished verify/repair permissions on disk0s2 MacHD

real	1m17.760s
user	0m0.038s
sys	0m0.035s

That was the third run (verify, repair, verify). The java items turn out to be symlinks. Generally speaking, i don't think permissions on symlinks count for much. Plus, these "unfixed" items are all undoubtedly byproducts of the infamous SU/DURP bug. [software update, disk utility repair permissions.]

So that answers that...



i'm just gonna play with those suid items for a minute, so we can have a record of it. [for all we know, some hacker has “modified” one of those files (as —mysteriously enough —that's *all* that DURP tells us). So i better do some checking, just in case. wink ]

  1. First, find all boms which claim to know something about those three:

    for x in /var/db/receipts/*.bom; do if lsbom -p MUGsTf "$x" |
    grep -E '(kcproxy|authopen|security_authtrampoline)$'; then echo "$x"; echo; fi; done

    -rwsr-xr-x root admin 85824 Mon Feb 15 21:31:20 2010 ./Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
    /var/db/receipts/com.apple.pkg.AdditionalEssentials.bom

    -r-sr-xr-x root wheel 43648 Thu Feb 11 18:51:57 2010 ./usr/libexec/authopen
    -rws--x--x root wheel 47728 Thu Feb 11 17:44:57 2010 ./usr/libexec/security_authtrampoline
    /var/db/receipts/com.apple.pkg.Essentials.bom

    -rwsr-xr-x root admin 85824 Fri Mar 19 13:48:20 2010 ./Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
    -r-sr-xr-x root wheel 43648 Fri Mar 19 13:43:06 2010 ./usr/libexec/authopen
    -rws--x--x root wheel 47728 Fri Mar 19 13:35:27 2010 ./usr/libexec/security_authtrampoline
    /var/db/receipts/com.apple.pkg.MacBookProSoftwareUpdate1.3.bom

    So, kproxy originally recorded in AdditionalEssentials, the two "auths" in Essentials, and all three apparently got updated in MacBookProSoftwareUpdate1.3. But hey, umm... they all seem to match (size-wise & owner,group,perms), except for the dates. Hmm, i could still be hacked. wink


  2. Next up, let's look at the plists which correspond to those three (the plists store some sha1 digests, which Apple uses to detect altered suids):

    for x in /var/db/receipts/*.plist; do if defaults read "${x%.plist}" |
    grep -E '(kcproxy|authopen|security_authtrampoline)'; then echo "$x"; echo; fi; done

    "Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy" = <082e3017 8565fb82 e679ad97 85282e2b a3074c3a>;
    /var/db/receipts/com.apple.pkg.AdditionalEssentials.plist

    "usr/libexec/authopen" = <fd2e1873 78cf3beb f3705024 6f0cfcc3 a6cd667d>;
    "usr/libexec/security_authtrampoline" = <ab55f4a8 3828fa08 8807a8df 01a33bb5 e46afb11>;
    /var/db/receipts/com.apple.pkg.Essentials.plist

    "Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy" = <58268b41 6411cc25 814001fa 6e0ebf38 b156f58f>;
    "usr/libexec/authopen" = <c3d980d6 422eac6b eaef01d4 461890b2 3a4d6b81>;
    "usr/libexec/security_authtrampoline" = <b5d6d087 8873dd85 fe1cac90 9b50b451 ccf5048e>;
    /var/db/receipts/com.apple.pkg.MacBookProSoftwareUpdate1.3.plist

    Ah ha, clear differences. So now what?


  3. Finally, calculate sha1 digests on the current crop (need sudo for that "trampoline" goober):

    sudo openssl sha1 /App*/Util*/Key*/Contents/Resources/kcproxy /usr/libexec/{authopen,security_authtrampoline}
    Password:
    SHA1(/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy)= 58268b416411cc25814001fa6e0ebf38b156f58f
    SHA1(/usr/libexec/authopen)= c3d980d6422eac6beaef01d4461890b23a4d6b81
    SHA1(/usr/libexec/security_authtrampoline)= b5d6d0878873dd85fe1cac909b50b451ccf5048e

Add in some color for easy viewing, and sleep well tonight.
Every file matches from the MacBookProSoftwareUpdate1.3

Well that was a waste of time. laugh  [naw, it's good to check... once.]

--

Also for the record: what's really needed here is for "someone" to figure out why DURP doesn't look in the right place for all this information. I'm not gonna go through the symlinks up there, but clearly the info for the suids match... and so Disk Utility should know that, and not be confusing folks with useless bogus reports. It's been like this since Leopard's first update, back in Nov. (or Dec.?) of 2007.

PLEASE, MAKE IT STOP.


Edited by Hal Itosis (06/01/10 08:53 PM)

Top

Moderator:  alternaut, dkmarsh, joemikeb